[187557] in North American Network Operators' Group
Re: UDP Amplification DDoS - Help!
daemon@ATHENA.MIT.EDU (Andrew Kirch)
Mon Feb 8 22:05:33 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <1416724727.2271082.1454986558469.JavaMail.zimbra@snappytelecom.net>
Date: Mon, 8 Feb 2016 21:58:52 -0500
From: Andrew Kirch <trelane@trelane.net>
To: Faisal Imtiaz <faisal@snappytelecom.net>
Cc: Mitch Dyer <mdyer@development-group.net>, nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
use a CDN provider or AWS ELBs or something to absorb the attacks?
On Mon, Feb 8, 2016 at 9:55 PM, Faisal Imtiaz <faisal@snappytelecom.net> wrote:
> Not quite sure what kind of info / confirmation you are looking for...
>
> There are lots of articles (do a google search) on this topic as well as mitigation ...
>
> e.g.
>
> http://blog.nexusguard.com/ssdp-ddos-attacks/
>
> &
> https://tools.ietf.org/html/bcp38
>
> Regards
>
> Faisal Imtiaz
> Snappy Internet & Telecom
>
> ----- Original Message -----
>> From: "Mitch Dyer" <mdyer@development-group.net>
>> To: "nanog list" <nanog@nanog.org>
>> Sent: Monday, February 8, 2016 6:14:06 PM
>> Subject: UDP Amplification DDoS - Help!
>
>> Hello,
>>
>> Hoping someone can point me in the right direction here, even just confirming my
>> suspicions would be incredibly helpful.
>>
>> A little bit of background: I have a customer I'm working with that is
>> downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily
>> basis. Through several captures I've seen what appear to be a mixture of SSDP
>> and DNS amplification attacks (though not at the same time). The attack itself
>> seems to target the PAT address associated with a specific site, if we change
>> the PAT address for the site, the attack targets the new address at the next
>> occurance. We've tried setting up captures and logging inside the network to
>> determine if the SSDP/DNS request originate within the network but that does
>> not appear to be the case.
>>
>> We've reached out for some assistance from the upstream carrier but they've only
>> been able to enforce a 24-hour block.
>>
>> I'm hoping someone with some experience on this topic would be able to shed some
>> light on a better way to attack this or would be willing to confirm that we are
>> simply SOL without prolonged assistance from the upstream carrier.
>>
>> Thanks in advance for any insight.
>>
>> Mitch
